Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2023-38496 (GCVE-0-2023-38496)
Vulnerability from cvelistv5
Published
2023-07-25 21:02
Modified
2024-10-10 17:31
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:46:54.942Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx"
},
{
"name": "https://github.com/apptainer/apptainer/pull/1523",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/apptainer/apptainer/pull/1523"
},
{
"name": "https://github.com/apptainer/apptainer/pull/1578",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/apptainer/apptainer/pull/1578"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38496",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T16:24:46.824995Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T17:31:57.112Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "apptainer",
"vendor": "apptainer",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.0-rc.2, \u003c 1.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-271",
"description": "CWE-271: Privilege Dropping / Lowering Errors",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-25T21:02:12.018Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx"
},
{
"name": "https://github.com/apptainer/apptainer/pull/1523",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apptainer/apptainer/pull/1523"
},
{
"name": "https://github.com/apptainer/apptainer/pull/1578",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apptainer/apptainer/pull/1578"
}
],
"source": {
"advisory": "GHSA-mmx5-32m4-wxvx",
"discovery": "UNKNOWN"
},
"title": "Apptainer\u0027s ineffective privileges drop when requesting container network"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-38496",
"datePublished": "2023-07-25T21:02:12.018Z",
"dateReserved": "2023-07-18T16:28:12.076Z",
"dateUpdated": "2024-10-10T17:31:57.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2023-38496\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-07-25T22:15:10.503\",\"lastModified\":\"2024-11-21T08:13:41.667\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":4.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N\",\"baseScore\":3.3,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"},{\"lang\":\"en\",\"value\":\"CWE-271\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lfprojects:apptainer:1.2.0:-:*:*:*:go:*:*\",\"matchCriteriaId\":\"7B4FFEA3-9FB9-4B9F-968E-E5C3282B6786\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lfprojects:apptainer:1.2.0:rc2:*:*:*:go:*:*\",\"matchCriteriaId\":\"35B641D0-6C93-45F0-A297-1BBE3BF65DB6\"}]}]}],\"references\":[{\"url\":\"https://github.com/apptainer/apptainer/pull/1523\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/apptainer/apptainer/pull/1578\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/apptainer/apptainer/pull/1523\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/apptainer/apptainer/pull/1578\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"Apptainer\u0027s ineffective privileges drop when requesting container network\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-271\", \"lang\": \"en\", \"description\": \"CWE-271: Privilege Dropping / Lowering Errors\", \"type\": \"CWE\"}]}, {\"descriptions\": [{\"cweId\": \"CWE-269\", \"lang\": \"en\", \"description\": \"CWE-269: Improper Privilege Management\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"LOCAL\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"REQUIRED\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx\"}, {\"name\": \"https://github.com/apptainer/apptainer/pull/1523\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/apptainer/apptainer/pull/1523\"}, {\"name\": \"https://github.com/apptainer/apptainer/pull/1578\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/apptainer/apptainer/pull/1578\"}], \"affected\": [{\"vendor\": \"apptainer\", \"product\": \"apptainer\", \"versions\": [{\"version\": \"\u003e= 1.2.0-rc.2, \u003c 1.2.1\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-07-25T21:02:12.018Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1.\"}], \"source\": {\"advisory\": \"GHSA-mmx5-32m4-wxvx\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T17:46:54.942Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"name\": \"https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"], \"url\": \"https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx\"}, {\"name\": \"https://github.com/apptainer/apptainer/pull/1523\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/apptainer/apptainer/pull/1523\"}, {\"name\": \"https://github.com/apptainer/apptainer/pull/1578\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/apptainer/apptainer/pull/1578\"}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-38496\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-10T16:24:46.824995Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-10T17:31:53.000Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2023-38496\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2023-07-18T16:28:12.076Z\", \"datePublished\": \"2023-07-25T21:02:12.018Z\", \"dateUpdated\": \"2024-10-10T17:31:57.112Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
opensuse-su-2024:13073-1
Vulnerability from csaf_opensuse
Published
2024-06-15 00:00
Modified
2024-06-15 00:00
Summary
apptainer-1.2.1-1.1 on GA media
Notes
Title of the patch
apptainer-1.2.1-1.1 on GA media
Description of the patch
These are all security issues fixed in the apptainer-1.2.1-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-13073
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "apptainer-1.2.1-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the apptainer-1.2.1-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-13073",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13073-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-38496 page",
"url": "https://www.suse.com/security/cve/CVE-2023-38496/"
}
],
"title": "apptainer-1.2.1-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:13073-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "apptainer-1.2.1-1.1.aarch64",
"product": {
"name": "apptainer-1.2.1-1.1.aarch64",
"product_id": "apptainer-1.2.1-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "apptainer-1.2.1-1.1.ppc64le",
"product": {
"name": "apptainer-1.2.1-1.1.ppc64le",
"product_id": "apptainer-1.2.1-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "apptainer-1.2.1-1.1.s390x",
"product": {
"name": "apptainer-1.2.1-1.1.s390x",
"product_id": "apptainer-1.2.1-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "apptainer-1.2.1-1.1.x86_64",
"product": {
"name": "apptainer-1.2.1-1.1.x86_64",
"product_id": "apptainer-1.2.1-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-1.2.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-1.2.1-1.1.aarch64"
},
"product_reference": "apptainer-1.2.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-1.2.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-1.2.1-1.1.ppc64le"
},
"product_reference": "apptainer-1.2.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-1.2.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-1.2.1-1.1.s390x"
},
"product_reference": "apptainer-1.2.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-1.2.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apptainer-1.2.1-1.1.x86_64"
},
"product_reference": "apptainer-1.2.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-38496",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-38496"
}
],
"notes": [
{
"category": "general",
"text": "Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:apptainer-1.2.1-1.1.aarch64",
"openSUSE Tumbleweed:apptainer-1.2.1-1.1.ppc64le",
"openSUSE Tumbleweed:apptainer-1.2.1-1.1.s390x",
"openSUSE Tumbleweed:apptainer-1.2.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-38496",
"url": "https://www.suse.com/security/cve/CVE-2023-38496"
},
{
"category": "external",
"summary": "SUSE Bug 1213659 for CVE-2023-38496",
"url": "https://bugzilla.suse.com/1213659"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:apptainer-1.2.1-1.1.aarch64",
"openSUSE Tumbleweed:apptainer-1.2.1-1.1.ppc64le",
"openSUSE Tumbleweed:apptainer-1.2.1-1.1.s390x",
"openSUSE Tumbleweed:apptainer-1.2.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:apptainer-1.2.1-1.1.aarch64",
"openSUSE Tumbleweed:apptainer-1.2.1-1.1.ppc64le",
"openSUSE Tumbleweed:apptainer-1.2.1-1.1.s390x",
"openSUSE Tumbleweed:apptainer-1.2.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2023-38496"
}
]
}
opensuse-su-2024:0244-1
Vulnerability from csaf_opensuse
Published
2024-08-16 04:02
Modified
2024-08-16 04:02
Summary
Security update for apptainer
Notes
Title of the patch
Security update for apptainer
Description of the patch
This update for apptainer fixes the following issues:
- Make sure, digest values handled by the Go library
github.com/opencontainers/go-digest and used throughout the
Go-implemented containers ecosystem are always validated. This
prevents attackers from triggering unexpected authenticated
registry accesses. (CVE-2024-3727, boo#1224114).
- Updated apptainer to version 1.3.0
* FUSE mounts are now supported in setuid mode, enabling full
functionality even when kernel filesystem mounts are insecure due to
unprivileged users having write access to raw filesystems in
containers. When allow `setuid-mount extfs = no` (the default) in
apptainer.conf, then the fuse2fs image driver will be used to mount
ext3 images in setuid mode instead of the kernel driver (ext3 images
are primarily used for the `--overlay` feature), restoring
functionality that was removed by default in Apptainer 1.1.8 because
of the security risk.
The allow `setuid-mount squashfs` configuration option in
`apptainer.conf` now has a new default called `iflimited` which allows
kernel squashfs mounts only if there is at least one `limit container`
option set or if Execution Control Lists are activated in ecl.toml.
If kernel squashfs mounts are are not allowed, then the squashfuse
image driver will be used instead.
`iflimited` is the default because if one of those limits are used
the system administrator ensures that unprivileged users do not have
write access to the containers, but on the other hand using FUSE
would enable a user to theoretically bypass the limits via `ptrace()`
because the FUSE process runs as that user.
The `fuse-overlayfs` image driver will also now be tried in setuid
mode if the kernel overlayfs driver does not work (for example if
one of the layers is a FUSE filesystem). In addition, if `allow
setuid-mount encrypted = no` then the unprivileged gocryptfs format
will be used for encrypting SIF files instead of the kernel
device-mapper. If a SIF file was encrypted using the gocryptfs
format, it can now be mounted in setuid mode in addition to
non-setuid mode.
* Change the default in user namespace mode to use either kernel
overlayfs or fuse-overlayfs instead of the underlay feature for the
purpose of adding bind mount points. That was already the default in
setuid mode; this change makes it consistent. The underlay feature
can still be used with the `--underlay` option, but it is deprecated
because the implementation is complicated and measurements have
shown that the performance of underlay is similar to overlayfs and
fuse-overlayfs.
For now the underlay feature can be made the default again with a
new `preferred` value on the `enable underlay` configuration option.
Also the `--underlay` option can be used in setuid mode or as the
root user, although it was ignored previously.
* Prefer again to use kernel overlayfs over fuse-overlayfs when a
lower layer is FUSE and there's no writable upper layer, undoing the
change from 1.2.0. Another workaround was found for the problem that
change addressed. This applies in both setuid mode and in user
namespace mode.
* `--cwd` is now the preferred form of the flag for setting the
container's working directory, though `--pwd` is still supported for
compatibility.
* The way `--home` is handled when running as root (e.g. sudo apptainer)
or with `--fakeroot` has changed. Previously, we were only modifying
the `HOME` environment variable in these cases, while leaving the
container's `/etc/passwd` file unchanged (with its homedir field
pointing to `/root`, regardless of the value passed to `--home`). With
this change, both value of HOME and the contents of `/etc/passwd` in
the container will reflect the value passed to `--home` if the
container is readonly. If the container is writable, the
`/etc/passwd` file is left alone because it can interfere with
commands that want to modify it.
* The `--vm` and related flags to start apptainer inside a VM have been
removed. This functionality was related to the retired Singularity Desktop
/ SyOS projects.
* The keyserver-related commands that were under `remote` have been moved to
their own, dedicated `keyserver` command. Run `apptainer help keyserver`
for more information.
* The commands related to OCI/Docker registries that were under `remote` have
been moved to their own, dedicated `registry` command. Run
`apptainer help registry` for more information.
* The the `remote list` subcommand now outputs only remote endpoints (with
keyservers and OCI/Docker registries having been moved to separate
commands), and the output has been streamlined.
* Adding a new remote endpoint using the `apptainer remote add` command will
now set the new endpoint as default. This behavior can be suppressed by
supplying the `--no-default` (or `-n`) flag to `remote add`.
* Skip parsing build definition file template variables after comments
beginning with a hash symbol.
* The global `/tmp` directory is no longer used for gocryptfs mountpoints.
- New Features & Functionality
* The `remote status` command will now print the username, realname, and
email of the logged-in user, if available.
* Add monitoring feature support, which requires the usage of an
additional tool named `apptheus`, this tool will put apptainer starter
into a newly created cgroup and collect system metrics.
* A new `--no-pid` flag for `apptainer run/shell/exec` disables the PID
namespace inferred by `--containall` and `--compat`.
* Added `--config` option to `keyserver` commands.
* Honor an optional remoteName argument to the `keyserver list` command.
* Added the `APPTAINER_ENCRYPTION_PEM_DATA` env var to allow for
encrypting and running encrypted containers without a PEM file.
* Adding `--sharens` mode for `apptainer exec/run/shell`, which enables to
run multiple apptainer instances created by the same parent using
the same image in the same user namespace.
- Make 'gocryptfs' an optional dependency.
- Make apptainer definition templates version dependent.
- Fix 'apptainer build' using signed packages from the SUSE
Registry (boo#1221364).
- Updated apptainer to version 1.2.5
* Added `libnvidia-nvvm` to `nvliblist.conf`. Newer NVIDIA
Drivers (known with >= 525.85.05) require this lib to compile
OpenCL programs against NVIDIA GPUs, i.e. `libnvidia-opencl`
depends on `libnvidia-nvvm`.
* Disable the usage of cgroup in instance creation when
`--fakeroot` is passed.
* Disable the usage of cgroup in instance creation when `hidepid`
mount option on `/proc` is set.
* Fixed a regression introduced in 1.2.0 where the user's
password file information was not copied in to the container
when there was a parent root-mapped user namespace (as is the
case for example in `cvmfsexec`).
* Added the upcoming NVIDIA driver library `libnvidia-gpucomp.so`
to the list of libraries to add to NVIDIA GPU-enabled
containers. Fixed missing error handling during the creation
of an encrypted image that lead to the generation of corrupted
images.
* Use `APPTAINER_TMPDIR` for temporary files during privileged
image encryption.
* If rootless unified cgroups v2 is available when starting an
image but `XDG_RUNTIME_DIR` or `DBUS_SESSION_BUS_ADDRESS` is
not set, print an info message that stats will not be available
instead of exiting with a fatal error.
* Allow templated build arguments to definition files to have
empty values.
- Package .def templates separately for different SPs.
- Do not build squashfuse, require it as a dependency.
- Replace awkward 'Obsoletes: singularity-*' as well as the
'Provides: Singularity' by 'Conflicts:' and drop the provides -
the versioning scheme does not match and we do not automatically
migrate from one to the other.
- Exclude platforms which do not provide all build dependencies.
- updated to 1.2.3 with following changes:
* The apptainer push/pull commands now show a progress bar for the oras
protocol like there was for docker and library protocols.
* The --nv and --rocm flags can now be used simultaneously.
* Fix the use of APPTAINER_CONFIGDIR with apptainer instance start and action
commands that refer to instance://.
* Fix the issue that apptainer would not read credentials from the Docker
fallback path ~/.docker/config.json if missing in the apptainer
credentials.
- updated to 1.2.2 with following changes:
* Fix $APPTAINER_MESSAGELEVEL to correctly set the logging level.
* Fix build failures when in setuid mode and unprivileged user namespaces are
unavailable and the --fakeroot option is not selected.
- updated to 1.2.1 to fix CVE-2023-38496 although not relevant as package is
compiled with setuid
- update to 1.2.0 with following changes:
* binary is built reproducible which disables plugins
* Create the current working directory in a container when it doesn't exist.
This restores behavior as it was before singularity 3.6.0. As a result,
using --no-mount home won't have any effect when running apptainer from a
home directory and will require --no-mount home,cwd to avoid mounting that
directory.
* Handle current working directory paths containing symlinks both on the host
and in a container but pointing to different destinations. If detected, the
current working directory is not mounted when the destination directory in
the container exists.
* Destination mount points are now sorted by shortest path first to ensure
that a user bind doesn't override a previous bind path when set in
arbitrary order on the CLI. This is also applied to image binds.
* When the kernel supports unprivileged overlay mounts in a user namespace,
the container will be constructed by default using an overlay instead of an
underlay layout for bind mounts. A new --underlay action option can be used
to prefer underlay instead of overlay.
* sessiondir maxsize in apptainer.conf now defaults to 64 MiB for new
installations. This is an increase from 16 MiB in prior versions.
* The apptainer cache is now architecture aware, so the same home directory
cache can be shared by machines with different architectures.
* Overlay is blocked on the panfs filesystem, allowing sandbox directories to
be run from panfs without error.
* Lookup and store user/group information in stage one prior to entering any
namespaces, to fix an issue with winbind not correctly looking up
user/group information when using user namespaces.
- New features / functionalities
* Support for unprivileged encryption of SIF files using gocryptfs. This is
not compatible with privileged encryption, so containers encrypted by root
need to be rebuilt by an unprivileged user.
* Templating support for definition files. Users can now define variables in
definition files via a matching pair of double curly brackets. Variables of
the form {{ variable }} will be replaced by a value defined either by a
variable=value entry in the %arguments section of the definition file or
through new build options --build-arg or --build-arg-file.
* Add a new instance run command that will execute the runscript when an
instance is initiated instead of executing the startscript.
* The sign and verify commands now support signing and verification with
non-PGP key material by specifying the path to a private key via the --key
flag.
* The verify command now supports verification with X.509 certificates by
specifying the path to a certificate via the --certificate flag. By
default, the system root certificate pool is used as trust anchors unless
overridden via the --certificate-roots flag. A pool of intermediate
certificates that are not trust anchors, but can be used to form a
certificate chain, can also be specified via the
--certificate-intermediates flag.
* Support for online verification checks of X.509 certificates using OCSP
protocol via the new verify --ocsp-verify option.
* The instance stats command displays the resource usage every second. The
--no-stream option disables this interactive mode and shows the
point-in-time usage.
* Instances are now started in a cgroup by default, when run as root or when
unified cgroups v2 with systemd as manager is configured. This allows
apptainer instance stats to be supported by default when possible.
* The instance start command now accepts an optional --app <name> argument
which invokes a start script within the %appstart <name> section in the
definition file. The instance stop command still only requires the instance
name.
* The instance name is now available inside an instance via the new
APPTAINER_INSTANCE environment variable.
* The --no-mount flag now accepts the value bind-paths to disable mounting of
all bind path entries in apptainer.conf.
Support for DOCKER_HOST parsing when using docker-daemon://
DOCKER_USERNAME and DOCKER_PASSWORD supported without APPTAINER_ prefix.
Add new Linux capabilities CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE.
* The remote get-login-password command allows users to retrieve a remote's
token. This enables piping the secret directly into docker login while
preventing it from showing up in a shell's history.
* Define EUID in %environment alongside UID.
* In --rocm mode, the whole of /dev/dri is now bound into the container when
--contain is in use. This makes /dev/dri/render devices available, required
for later ROCm versions.
- update to 1.1.9 with following changes:
* Remove warning about unknown xino=on option from fuse-overlayfs, introduced
in 1.1.8.
* Ignore extraneous warning from fuse-overlayfs about a readonly /proc.
* Fix dropped 'n' characters on some platforms in definition file stored as
part of SIF metadata.
* Remove duplicated group ids.
* Fix not being able to handle multiple entries in LD_PRELOAD when binding
fakeroot into container during apptainer startup for --fakeroot with
fakeroot command.
- Included a fix for CVE-2023-30549 which is a vulnerability in setuid-root
installations of Apptainer iwhich was not active in the recent openSUSE
packages. Still this is included for completenss. The fix adds allow
setuid-mount configuration options encrypted, squashfs, and extfs, and makes
the default for extfs be 'no'. That disables the use of extfs mounts
including for overlays or binds while in the setuid-root mode, while leaving
it enabled for unprivileged user namespace mode. The default for encrypted
and squashfs is 'yes'.
- Other bug fixes:
* Fix loop device 'no such device or address' spurious errors when using shared
loop devices.
* Add xino=on mount option for writable kernel overlay mount points to fix
inode numbers consistency after kernel cache flush (not applicable to
fuse-overlayfs).
- updated to 1.1.7 with following changes:
* Allow gpu options such as --nv to be nested by always inheriting all
libraries bound in to a parent container's /.singularity.d/libs.
* Map the user's home directory to the root home directory by default in the
non-subuid fakeroot mode like it was in the subuid fakeroot mode, for both
action commands and building containers from definition files.
* Make the error message more helpful in another place where a remote is
found to have no library client.
* Avoid incorrect error when requesting fakeroot network.
* Pass computed LD_LIBRARY_PATH to wrapped unsquashfs. Fixes issues where
unsquashfs on host uses libraries in non-default paths.
Patchnames
openSUSE-2024-244
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for apptainer",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for apptainer fixes the following issues:\n\n- Make sure, digest values handled by the Go library\n github.com/opencontainers/go-digest and used throughout the\n Go-implemented containers ecosystem are always validated. This\n prevents attackers from triggering unexpected authenticated\n registry accesses. (CVE-2024-3727, boo#1224114).\n \n\n- Updated apptainer to version 1.3.0\n * FUSE mounts are now supported in setuid mode, enabling full\n functionality even when kernel filesystem mounts are insecure due to\n unprivileged users having write access to raw filesystems in\n containers. When allow `setuid-mount extfs = no` (the default) in\n apptainer.conf, then the fuse2fs image driver will be used to mount\n ext3 images in setuid mode instead of the kernel driver (ext3 images\n are primarily used for the `--overlay` feature), restoring\n functionality that was removed by default in Apptainer 1.1.8 because\n of the security risk.\n The allow `setuid-mount squashfs` configuration option in\n `apptainer.conf` now has a new default called `iflimited` which allows\n kernel squashfs mounts only if there is at least one `limit container`\n option set or if Execution Control Lists are activated in ecl.toml.\n If kernel squashfs mounts are are not allowed, then the squashfuse\n image driver will be used instead.\n `iflimited` is the default because if one of those limits are used\n the system administrator ensures that unprivileged users do not have\n write access to the containers, but on the other hand using FUSE\n would enable a user to theoretically bypass the limits via `ptrace()`\n because the FUSE process runs as that user.\n The `fuse-overlayfs` image driver will also now be tried in setuid\n mode if the kernel overlayfs driver does not work (for example if\n one of the layers is a FUSE filesystem). In addition, if `allow\n setuid-mount encrypted = no` then the unprivileged gocryptfs format\n will be used for encrypting SIF files instead of the kernel\n device-mapper. If a SIF file was encrypted using the gocryptfs\n format, it can now be mounted in setuid mode in addition to\n non-setuid mode.\n * Change the default in user namespace mode to use either kernel\n overlayfs or fuse-overlayfs instead of the underlay feature for the\n purpose of adding bind mount points. That was already the default in\n setuid mode; this change makes it consistent. The underlay feature\n can still be used with the `--underlay` option, but it is deprecated\n because the implementation is complicated and measurements have\n shown that the performance of underlay is similar to overlayfs and\n fuse-overlayfs.\n For now the underlay feature can be made the default again with a\n new `preferred` value on the `enable underlay` configuration option.\n Also the `--underlay` option can be used in setuid mode or as the\n root user, although it was ignored previously.\n * Prefer again to use kernel overlayfs over fuse-overlayfs when a\n lower layer is FUSE and there\u0027s no writable upper layer, undoing the\n change from 1.2.0. Another workaround was found for the problem that\n change addressed. This applies in both setuid mode and in user\n namespace mode.\n * `--cwd` is now the preferred form of the flag for setting the\n container\u0027s working directory, though `--pwd` is still supported for\n compatibility.\n * The way `--home` is handled when running as root (e.g. sudo apptainer)\n or with `--fakeroot` has changed. Previously, we were only modifying\n the `HOME` environment variable in these cases, while leaving the\n container\u0027s `/etc/passwd` file unchanged (with its homedir field\n pointing to `/root`, regardless of the value passed to `--home`). With\n this change, both value of HOME and the contents of `/etc/passwd` in\n the container will reflect the value passed to `--home` if the\n container is readonly. If the container is writable, the\n `/etc/passwd` file is left alone because it can interfere with\n commands that want to modify it.\n * The `--vm` and related flags to start apptainer inside a VM have been\n removed. This functionality was related to the retired Singularity Desktop\n / SyOS projects.\n * The keyserver-related commands that were under `remote` have been moved to\n their own, dedicated `keyserver` command. Run `apptainer help keyserver`\n for more information.\n * The commands related to OCI/Docker registries that were under `remote` have\n been moved to their own, dedicated `registry` command. Run\n `apptainer help registry` for more information.\n * The the `remote list` subcommand now outputs only remote endpoints (with\n keyservers and OCI/Docker registries having been moved to separate\n commands), and the output has been streamlined.\n * Adding a new remote endpoint using the `apptainer remote add` command will\n now set the new endpoint as default. This behavior can be suppressed by\n supplying the `--no-default` (or `-n`) flag to `remote add`.\n * Skip parsing build definition file template variables after comments\n beginning with a hash symbol.\n * The global `/tmp` directory is no longer used for gocryptfs mountpoints.\n- New Features \u0026 Functionality\n * The `remote status` command will now print the username, realname, and\n email of the logged-in user, if available.\n * Add monitoring feature support, which requires the usage of an\n additional tool named `apptheus`, this tool will put apptainer starter\n into a newly created cgroup and collect system metrics.\n * A new `--no-pid` flag for `apptainer run/shell/exec` disables the PID\n namespace inferred by `--containall` and `--compat`.\n * Added `--config` option to `keyserver` commands.\n * Honor an optional remoteName argument to the `keyserver list` command.\n * Added the `APPTAINER_ENCRYPTION_PEM_DATA` env var to allow for\n encrypting and running encrypted containers without a PEM file.\n * Adding `--sharens` mode for `apptainer exec/run/shell`, which enables to\n run multiple apptainer instances created by the same parent using\n the same image in the same user namespace.\n- Make \u0027gocryptfs\u0027 an optional dependency.\n- Make apptainer definition templates version dependent.\n\n- Fix \u0027apptainer build\u0027 using signed packages from the SUSE\n Registry (boo#1221364).\n\n- Updated apptainer to version 1.2.5\n * Added `libnvidia-nvvm` to `nvliblist.conf`. Newer NVIDIA\n Drivers (known with \u003e= 525.85.05) require this lib to compile\n OpenCL programs against NVIDIA GPUs, i.e. `libnvidia-opencl`\n depends on `libnvidia-nvvm`.\n * Disable the usage of cgroup in instance creation when\n `--fakeroot` is passed.\n * Disable the usage of cgroup in instance creation when `hidepid`\n mount option on `/proc` is set.\n * Fixed a regression introduced in 1.2.0 where the user\u0027s\n password file information was not copied in to the container\n when there was a parent root-mapped user namespace (as is the\n case for example in `cvmfsexec`).\n * Added the upcoming NVIDIA driver library `libnvidia-gpucomp.so`\n to the list of libraries to add to NVIDIA GPU-enabled\n containers. Fixed missing error handling during the creation\n of an encrypted image that lead to the generation of corrupted\n images.\n * Use `APPTAINER_TMPDIR` for temporary files during privileged\n image encryption.\n * If rootless unified cgroups v2 is available when starting an\n image but `XDG_RUNTIME_DIR` or `DBUS_SESSION_BUS_ADDRESS` is\n not set, print an info message that stats will not be available\n instead of exiting with a fatal error.\n * Allow templated build arguments to definition files to have\n empty values.\n- Package .def templates separately for different SPs.\n\n- Do not build squashfuse, require it as a dependency.\n- Replace awkward \u0027Obsoletes: singularity-*\u0027 as well as the\n \u0027Provides: Singularity\u0027 by \u0027Conflicts:\u0027 and drop the provides -\n the versioning scheme does not match and we do not automatically\n migrate from one to the other.\n- Exclude platforms which do not provide all build dependencies.\n\n- updated to 1.2.3 with following changes:\n * The apptainer push/pull commands now show a progress bar for the oras\n protocol like there was for docker and library protocols.\n * The --nv and --rocm flags can now be used simultaneously.\n * Fix the use of APPTAINER_CONFIGDIR with apptainer instance start and action\n commands that refer to instance://.\n * Fix the issue that apptainer would not read credentials from the Docker\n fallback path ~/.docker/config.json if missing in the apptainer\n credentials.\n\n- updated to 1.2.2 with following changes:\n * Fix $APPTAINER_MESSAGELEVEL to correctly set the logging level.\n * Fix build failures when in setuid mode and unprivileged user namespaces are\n unavailable and the --fakeroot option is not selected.\n\n- updated to 1.2.1 to fix CVE-2023-38496 although not relevant as package is \n compiled with setuid\n\n- update to 1.2.0 with following changes:\n * binary is built reproducible which disables plugins\n * Create the current working directory in a container when it doesn\u0027t exist.\n This restores behavior as it was before singularity 3.6.0. As a result,\n using --no-mount home won\u0027t have any effect when running apptainer from a\n home directory and will require --no-mount home,cwd to avoid mounting that\n directory.\n * Handle current working directory paths containing symlinks both on the host\n and in a container but pointing to different destinations. If detected, the\n current working directory is not mounted when the destination directory in\n the container exists.\n * Destination mount points are now sorted by shortest path first to ensure\n that a user bind doesn\u0027t override a previous bind path when set in\n arbitrary order on the CLI. This is also applied to image binds.\n * When the kernel supports unprivileged overlay mounts in a user namespace,\n the container will be constructed by default using an overlay instead of an\n underlay layout for bind mounts. A new --underlay action option can be used\n to prefer underlay instead of overlay.\n * sessiondir maxsize in apptainer.conf now defaults to 64 MiB for new\n installations. This is an increase from 16 MiB in prior versions.\n * The apptainer cache is now architecture aware, so the same home directory\n cache can be shared by machines with different architectures.\n * Overlay is blocked on the panfs filesystem, allowing sandbox directories to\n be run from panfs without error.\n * Lookup and store user/group information in stage one prior to entering any\n namespaces, to fix an issue with winbind not correctly looking up\n user/group information when using user namespaces.\n- New features / functionalities\n * Support for unprivileged encryption of SIF files using gocryptfs. This is\n not compatible with privileged encryption, so containers encrypted by root\n need to be rebuilt by an unprivileged user.\n * Templating support for definition files. Users can now define variables in\n definition files via a matching pair of double curly brackets. Variables of\n the form {{ variable }} will be replaced by a value defined either by a\n variable=value entry in the %arguments section of the definition file or\n through new build options --build-arg or --build-arg-file.\n * Add a new instance run command that will execute the runscript when an\n instance is initiated instead of executing the startscript.\n * The sign and verify commands now support signing and verification with\n non-PGP key material by specifying the path to a private key via the --key\n flag.\n * The verify command now supports verification with X.509 certificates by\n specifying the path to a certificate via the --certificate flag. By\n default, the system root certificate pool is used as trust anchors unless\n overridden via the --certificate-roots flag. A pool of intermediate\n certificates that are not trust anchors, but can be used to form a\n certificate chain, can also be specified via the\n --certificate-intermediates flag.\n * Support for online verification checks of X.509 certificates using OCSP\n protocol via the new verify --ocsp-verify option.\n * The instance stats command displays the resource usage every second. The\n --no-stream option disables this interactive mode and shows the\n point-in-time usage.\n * Instances are now started in a cgroup by default, when run as root or when\n unified cgroups v2 with systemd as manager is configured. This allows\n apptainer instance stats to be supported by default when possible.\n * The instance start command now accepts an optional --app \u003cname\u003e argument\n which invokes a start script within the %appstart \u003cname\u003e section in the\n definition file. The instance stop command still only requires the instance\n name.\n * The instance name is now available inside an instance via the new\n APPTAINER_INSTANCE environment variable.\n * The --no-mount flag now accepts the value bind-paths to disable mounting of\n all bind path entries in apptainer.conf.\n Support for DOCKER_HOST parsing when using docker-daemon://\n DOCKER_USERNAME and DOCKER_PASSWORD supported without APPTAINER_ prefix.\n Add new Linux capabilities CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE.\n * The remote get-login-password command allows users to retrieve a remote\u0027s\n token. This enables piping the secret directly into docker login while\n preventing it from showing up in a shell\u0027s history.\n * Define EUID in %environment alongside UID.\n * In --rocm mode, the whole of /dev/dri is now bound into the container when\n --contain is in use. This makes /dev/dri/render devices available, required\n for later ROCm versions.\n\n- update to 1.1.9 with following changes:\n * Remove warning about unknown xino=on option from fuse-overlayfs, introduced\n in 1.1.8.\n * Ignore extraneous warning from fuse-overlayfs about a readonly /proc.\n * Fix dropped \u0027n\u0027 characters on some platforms in definition file stored as\n part of SIF metadata.\n * Remove duplicated group ids.\n * Fix not being able to handle multiple entries in LD_PRELOAD when binding\n fakeroot into container during apptainer startup for --fakeroot with\n fakeroot command.\n\n- Included a fix for CVE-2023-30549 which is a vulnerability in setuid-root\n installations of Apptainer iwhich was not active in the recent openSUSE\n packages. Still this is included for completenss. The fix adds allow\n setuid-mount configuration options encrypted, squashfs, and extfs, and makes\n the default for extfs be \u0027no\u0027. That disables the use of extfs mounts\n including for overlays or binds while in the setuid-root mode, while leaving\n it enabled for unprivileged user namespace mode. The default for encrypted\n and squashfs is \u0027yes\u0027.\n- Other bug fixes:\n * Fix loop device \u0027no such device or address\u0027 spurious errors when using shared\n loop devices.\n * Add xino=on mount option for writable kernel overlay mount points to fix\n inode numbers consistency after kernel cache flush (not applicable to\n fuse-overlayfs).\n \n\n- updated to 1.1.7 with following changes:\n * Allow gpu options such as --nv to be nested by always inheriting all\n libraries bound in to a parent container\u0027s /.singularity.d/libs.\n * Map the user\u0027s home directory to the root home directory by default in the\n non-subuid fakeroot mode like it was in the subuid fakeroot mode, for both\n action commands and building containers from definition files.\n * Make the error message more helpful in another place where a remote is\n found to have no library client.\n * Avoid incorrect error when requesting fakeroot network.\n * Pass computed LD_LIBRARY_PATH to wrapped unsquashfs. Fixes issues where\n unsquashfs on host uses libraries in non-default paths.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2024-244",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_0244-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2024:0244-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3BEJQC6TDQZLJ4YE746IHLCFJFUQ2JKQ/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2024:0244-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3BEJQC6TDQZLJ4YE746IHLCFJFUQ2JKQ/"
},
{
"category": "self",
"summary": "SUSE Bug 1221364",
"url": "https://bugzilla.suse.com/1221364"
},
{
"category": "self",
"summary": "SUSE Bug 1224114",
"url": "https://bugzilla.suse.com/1224114"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-30549 page",
"url": "https://www.suse.com/security/cve/CVE-2023-30549/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-38496 page",
"url": "https://www.suse.com/security/cve/CVE-2023-38496/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-3727 page",
"url": "https://www.suse.com/security/cve/CVE-2024-3727/"
}
],
"title": "Security update for apptainer",
"tracking": {
"current_release_date": "2024-08-16T04:02:52Z",
"generator": {
"date": "2024-08-16T04:02:52Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:0244-1",
"initial_release_date": "2024-08-16T04:02:52Z",
"revision_history": [
{
"date": "2024-08-16T04:02:52Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "apptainer-1.3.0-bp155.3.3.2.aarch64",
"product": {
"name": "apptainer-1.3.0-bp155.3.3.2.aarch64",
"product_id": "apptainer-1.3.0-bp155.3.3.2.aarch64"
}
},
{
"category": "product_version",
"name": "libsquashfuse0-0.5.0-bp155.2.1.aarch64",
"product": {
"name": "libsquashfuse0-0.5.0-bp155.2.1.aarch64",
"product_id": "libsquashfuse0-0.5.0-bp155.2.1.aarch64"
}
},
{
"category": "product_version",
"name": "squashfuse-0.5.0-bp155.2.1.aarch64",
"product": {
"name": "squashfuse-0.5.0-bp155.2.1.aarch64",
"product_id": "squashfuse-0.5.0-bp155.2.1.aarch64"
}
},
{
"category": "product_version",
"name": "squashfuse-devel-0.5.0-bp155.2.1.aarch64",
"product": {
"name": "squashfuse-devel-0.5.0-bp155.2.1.aarch64",
"product_id": "squashfuse-devel-0.5.0-bp155.2.1.aarch64"
}
},
{
"category": "product_version",
"name": "squashfuse-tools-0.5.0-bp155.2.1.aarch64",
"product": {
"name": "squashfuse-tools-0.5.0-bp155.2.1.aarch64",
"product_id": "squashfuse-tools-0.5.0-bp155.2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "libsquashfuse0-0.5.0-bp155.2.1.i586",
"product": {
"name": "libsquashfuse0-0.5.0-bp155.2.1.i586",
"product_id": "libsquashfuse0-0.5.0-bp155.2.1.i586"
}
},
{
"category": "product_version",
"name": "squashfuse-0.5.0-bp155.2.1.i586",
"product": {
"name": "squashfuse-0.5.0-bp155.2.1.i586",
"product_id": "squashfuse-0.5.0-bp155.2.1.i586"
}
},
{
"category": "product_version",
"name": "squashfuse-devel-0.5.0-bp155.2.1.i586",
"product": {
"name": "squashfuse-devel-0.5.0-bp155.2.1.i586",
"product_id": "squashfuse-devel-0.5.0-bp155.2.1.i586"
}
},
{
"category": "product_version",
"name": "squashfuse-tools-0.5.0-bp155.2.1.i586",
"product": {
"name": "squashfuse-tools-0.5.0-bp155.2.1.i586",
"product_id": "squashfuse-tools-0.5.0-bp155.2.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "apptainer-leap-1.3.0-bp155.3.3.2.noarch",
"product": {
"name": "apptainer-leap-1.3.0-bp155.3.3.2.noarch",
"product_id": "apptainer-leap-1.3.0-bp155.3.3.2.noarch"
}
},
{
"category": "product_version",
"name": "apptainer-sle15_5-1.3.0-bp155.3.3.2.noarch",
"product": {
"name": "apptainer-sle15_5-1.3.0-bp155.3.3.2.noarch",
"product_id": "apptainer-sle15_5-1.3.0-bp155.3.3.2.noarch"
}
},
{
"category": "product_version",
"name": "apptainer-sle15_6-1.3.0-bp155.3.3.2.noarch",
"product": {
"name": "apptainer-sle15_6-1.3.0-bp155.3.3.2.noarch",
"product_id": "apptainer-sle15_6-1.3.0-bp155.3.3.2.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "libsquashfuse0-0.5.0-bp155.2.1.ppc64le",
"product": {
"name": "libsquashfuse0-0.5.0-bp155.2.1.ppc64le",
"product_id": "libsquashfuse0-0.5.0-bp155.2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "squashfuse-0.5.0-bp155.2.1.ppc64le",
"product": {
"name": "squashfuse-0.5.0-bp155.2.1.ppc64le",
"product_id": "squashfuse-0.5.0-bp155.2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "squashfuse-devel-0.5.0-bp155.2.1.ppc64le",
"product": {
"name": "squashfuse-devel-0.5.0-bp155.2.1.ppc64le",
"product_id": "squashfuse-devel-0.5.0-bp155.2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "squashfuse-tools-0.5.0-bp155.2.1.ppc64le",
"product": {
"name": "squashfuse-tools-0.5.0-bp155.2.1.ppc64le",
"product_id": "squashfuse-tools-0.5.0-bp155.2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "libsquashfuse0-0.5.0-bp155.2.1.s390x",
"product": {
"name": "libsquashfuse0-0.5.0-bp155.2.1.s390x",
"product_id": "libsquashfuse0-0.5.0-bp155.2.1.s390x"
}
},
{
"category": "product_version",
"name": "squashfuse-0.5.0-bp155.2.1.s390x",
"product": {
"name": "squashfuse-0.5.0-bp155.2.1.s390x",
"product_id": "squashfuse-0.5.0-bp155.2.1.s390x"
}
},
{
"category": "product_version",
"name": "squashfuse-devel-0.5.0-bp155.2.1.s390x",
"product": {
"name": "squashfuse-devel-0.5.0-bp155.2.1.s390x",
"product_id": "squashfuse-devel-0.5.0-bp155.2.1.s390x"
}
},
{
"category": "product_version",
"name": "squashfuse-tools-0.5.0-bp155.2.1.s390x",
"product": {
"name": "squashfuse-tools-0.5.0-bp155.2.1.s390x",
"product_id": "squashfuse-tools-0.5.0-bp155.2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "apptainer-1.3.0-bp155.3.3.2.x86_64",
"product": {
"name": "apptainer-1.3.0-bp155.3.3.2.x86_64",
"product_id": "apptainer-1.3.0-bp155.3.3.2.x86_64"
}
},
{
"category": "product_version",
"name": "libsquashfuse0-0.5.0-bp155.2.1.x86_64",
"product": {
"name": "libsquashfuse0-0.5.0-bp155.2.1.x86_64",
"product_id": "libsquashfuse0-0.5.0-bp155.2.1.x86_64"
}
},
{
"category": "product_version",
"name": "squashfuse-0.5.0-bp155.2.1.x86_64",
"product": {
"name": "squashfuse-0.5.0-bp155.2.1.x86_64",
"product_id": "squashfuse-0.5.0-bp155.2.1.x86_64"
}
},
{
"category": "product_version",
"name": "squashfuse-devel-0.5.0-bp155.2.1.x86_64",
"product": {
"name": "squashfuse-devel-0.5.0-bp155.2.1.x86_64",
"product_id": "squashfuse-devel-0.5.0-bp155.2.1.x86_64"
}
},
{
"category": "product_version",
"name": "squashfuse-tools-0.5.0-bp155.2.1.x86_64",
"product": {
"name": "squashfuse-tools-0.5.0-bp155.2.1.x86_64",
"product_id": "squashfuse-tools-0.5.0-bp155.2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP5",
"product": {
"name": "SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.5",
"product": {
"name": "openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-1.3.0-bp155.3.3.2.aarch64 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:apptainer-1.3.0-bp155.3.3.2.aarch64"
},
"product_reference": "apptainer-1.3.0-bp155.3.3.2.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-1.3.0-bp155.3.3.2.x86_64 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:apptainer-1.3.0-bp155.3.3.2.x86_64"
},
"product_reference": "apptainer-1.3.0-bp155.3.3.2.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-leap-1.3.0-bp155.3.3.2.noarch as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:apptainer-leap-1.3.0-bp155.3.3.2.noarch"
},
"product_reference": "apptainer-leap-1.3.0-bp155.3.3.2.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-sle15_5-1.3.0-bp155.3.3.2.noarch as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:apptainer-sle15_5-1.3.0-bp155.3.3.2.noarch"
},
"product_reference": "apptainer-sle15_5-1.3.0-bp155.3.3.2.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-sle15_6-1.3.0-bp155.3.3.2.noarch as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:apptainer-sle15_6-1.3.0-bp155.3.3.2.noarch"
},
"product_reference": "apptainer-sle15_6-1.3.0-bp155.3.3.2.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libsquashfuse0-0.5.0-bp155.2.1.aarch64 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.aarch64"
},
"product_reference": "libsquashfuse0-0.5.0-bp155.2.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libsquashfuse0-0.5.0-bp155.2.1.i586 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.i586"
},
"product_reference": "libsquashfuse0-0.5.0-bp155.2.1.i586",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libsquashfuse0-0.5.0-bp155.2.1.ppc64le as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.ppc64le"
},
"product_reference": "libsquashfuse0-0.5.0-bp155.2.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libsquashfuse0-0.5.0-bp155.2.1.s390x as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.s390x"
},
"product_reference": "libsquashfuse0-0.5.0-bp155.2.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libsquashfuse0-0.5.0-bp155.2.1.x86_64 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.x86_64"
},
"product_reference": "libsquashfuse0-0.5.0-bp155.2.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-0.5.0-bp155.2.1.aarch64 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.aarch64"
},
"product_reference": "squashfuse-0.5.0-bp155.2.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-0.5.0-bp155.2.1.i586 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.i586"
},
"product_reference": "squashfuse-0.5.0-bp155.2.1.i586",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-0.5.0-bp155.2.1.ppc64le as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.ppc64le"
},
"product_reference": "squashfuse-0.5.0-bp155.2.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-0.5.0-bp155.2.1.s390x as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.s390x"
},
"product_reference": "squashfuse-0.5.0-bp155.2.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-0.5.0-bp155.2.1.x86_64 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.x86_64"
},
"product_reference": "squashfuse-0.5.0-bp155.2.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-devel-0.5.0-bp155.2.1.aarch64 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.aarch64"
},
"product_reference": "squashfuse-devel-0.5.0-bp155.2.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-devel-0.5.0-bp155.2.1.i586 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.i586"
},
"product_reference": "squashfuse-devel-0.5.0-bp155.2.1.i586",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-devel-0.5.0-bp155.2.1.ppc64le as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.ppc64le"
},
"product_reference": "squashfuse-devel-0.5.0-bp155.2.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-devel-0.5.0-bp155.2.1.s390x as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.s390x"
},
"product_reference": "squashfuse-devel-0.5.0-bp155.2.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-devel-0.5.0-bp155.2.1.x86_64 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.x86_64"
},
"product_reference": "squashfuse-devel-0.5.0-bp155.2.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-tools-0.5.0-bp155.2.1.aarch64 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.aarch64"
},
"product_reference": "squashfuse-tools-0.5.0-bp155.2.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-tools-0.5.0-bp155.2.1.i586 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.i586"
},
"product_reference": "squashfuse-tools-0.5.0-bp155.2.1.i586",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-tools-0.5.0-bp155.2.1.ppc64le as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.ppc64le"
},
"product_reference": "squashfuse-tools-0.5.0-bp155.2.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-tools-0.5.0-bp155.2.1.s390x as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.s390x"
},
"product_reference": "squashfuse-tools-0.5.0-bp155.2.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-tools-0.5.0-bp155.2.1.x86_64 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.x86_64"
},
"product_reference": "squashfuse-tools-0.5.0-bp155.2.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-1.3.0-bp155.3.3.2.aarch64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:apptainer-1.3.0-bp155.3.3.2.aarch64"
},
"product_reference": "apptainer-1.3.0-bp155.3.3.2.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-1.3.0-bp155.3.3.2.x86_64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:apptainer-1.3.0-bp155.3.3.2.x86_64"
},
"product_reference": "apptainer-1.3.0-bp155.3.3.2.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-leap-1.3.0-bp155.3.3.2.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:apptainer-leap-1.3.0-bp155.3.3.2.noarch"
},
"product_reference": "apptainer-leap-1.3.0-bp155.3.3.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-sle15_5-1.3.0-bp155.3.3.2.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:apptainer-sle15_5-1.3.0-bp155.3.3.2.noarch"
},
"product_reference": "apptainer-sle15_5-1.3.0-bp155.3.3.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apptainer-sle15_6-1.3.0-bp155.3.3.2.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:apptainer-sle15_6-1.3.0-bp155.3.3.2.noarch"
},
"product_reference": "apptainer-sle15_6-1.3.0-bp155.3.3.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libsquashfuse0-0.5.0-bp155.2.1.aarch64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.aarch64"
},
"product_reference": "libsquashfuse0-0.5.0-bp155.2.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libsquashfuse0-0.5.0-bp155.2.1.i586 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.i586"
},
"product_reference": "libsquashfuse0-0.5.0-bp155.2.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libsquashfuse0-0.5.0-bp155.2.1.ppc64le as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.ppc64le"
},
"product_reference": "libsquashfuse0-0.5.0-bp155.2.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libsquashfuse0-0.5.0-bp155.2.1.s390x as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.s390x"
},
"product_reference": "libsquashfuse0-0.5.0-bp155.2.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libsquashfuse0-0.5.0-bp155.2.1.x86_64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.x86_64"
},
"product_reference": "libsquashfuse0-0.5.0-bp155.2.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-0.5.0-bp155.2.1.aarch64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.aarch64"
},
"product_reference": "squashfuse-0.5.0-bp155.2.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-0.5.0-bp155.2.1.i586 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.i586"
},
"product_reference": "squashfuse-0.5.0-bp155.2.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-0.5.0-bp155.2.1.ppc64le as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.ppc64le"
},
"product_reference": "squashfuse-0.5.0-bp155.2.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-0.5.0-bp155.2.1.s390x as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.s390x"
},
"product_reference": "squashfuse-0.5.0-bp155.2.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-0.5.0-bp155.2.1.x86_64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.x86_64"
},
"product_reference": "squashfuse-0.5.0-bp155.2.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-devel-0.5.0-bp155.2.1.aarch64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.aarch64"
},
"product_reference": "squashfuse-devel-0.5.0-bp155.2.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-devel-0.5.0-bp155.2.1.i586 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.i586"
},
"product_reference": "squashfuse-devel-0.5.0-bp155.2.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-devel-0.5.0-bp155.2.1.ppc64le as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.ppc64le"
},
"product_reference": "squashfuse-devel-0.5.0-bp155.2.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-devel-0.5.0-bp155.2.1.s390x as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.s390x"
},
"product_reference": "squashfuse-devel-0.5.0-bp155.2.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-devel-0.5.0-bp155.2.1.x86_64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.x86_64"
},
"product_reference": "squashfuse-devel-0.5.0-bp155.2.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-tools-0.5.0-bp155.2.1.aarch64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.aarch64"
},
"product_reference": "squashfuse-tools-0.5.0-bp155.2.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-tools-0.5.0-bp155.2.1.i586 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.i586"
},
"product_reference": "squashfuse-tools-0.5.0-bp155.2.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-tools-0.5.0-bp155.2.1.ppc64le as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.ppc64le"
},
"product_reference": "squashfuse-tools-0.5.0-bp155.2.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-tools-0.5.0-bp155.2.1.s390x as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.s390x"
},
"product_reference": "squashfuse-tools-0.5.0-bp155.2.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squashfuse-tools-0.5.0-bp155.2.1.x86_64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.x86_64"
},
"product_reference": "squashfuse-tools-0.5.0-bp155.2.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-30549",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-30549"
}
],
"notes": [
{
"category": "general",
"text": "Apptainer is an open source container platform for Linux. There is an ext4 use-after-free flaw that is exploitable through versions of Apptainer \u003c 1.1.0 and installations that include apptainer-suid \u003c 1.1.8 on older operating systems where that CVE has not been patched. That includes Red Hat Enterprise Linux 7, Debian 10 buster (unless the linux-5.10 package is installed), Ubuntu 18.04 bionic and Ubuntu 20.04 focal. Use-after-free flaws in the kernel can be used to attack the kernel for denial of service and potentially for privilege escalation.\n\nApptainer 1.1.8 includes a patch that by default disables mounting of extfs filesystem types in setuid-root mode, while continuing to allow mounting of extfs filesystems in non-setuid \"rootless\" mode using fuse2fs.\n\nSome workarounds are possible. Either do not install apptainer-suid (for versions 1.1.0 through 1.1.7) or set `allow setuid = no` in apptainer.conf. This requires having unprivileged user namespaces enabled and except for apptainer 1.1.x versions will disallow mounting of sif files, extfs files, and squashfs files in addition to other, less significant impacts. (Encrypted sif files are also not supported unprivileged in apptainer 1.1.x.). Alternatively, use the `limit containers` options in apptainer.conf/singularity.conf to limit sif files to trusted users, groups, and/or paths, and set `allow container extfs = no` to disallow mounting of extfs overlay files. The latter option by itself does not disallow mounting of extfs overlay partitions inside SIF files, so that\u0027s why the former options are also needed.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP5:apptainer-1.3.0-bp155.3.3.2.aarch64",
"SUSE Package Hub 15 SP5:apptainer-1.3.0-bp155.3.3.2.x86_64",
"SUSE Package Hub 15 SP5:apptainer-leap-1.3.0-bp155.3.3.2.noarch",
"SUSE Package Hub 15 SP5:apptainer-sle15_5-1.3.0-bp155.3.3.2.noarch",
"SUSE Package Hub 15 SP5:apptainer-sle15_6-1.3.0-bp155.3.3.2.noarch",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.x86_64",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.x86_64",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.x86_64",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:apptainer-1.3.0-bp155.3.3.2.aarch64",
"openSUSE Leap 15.5:apptainer-1.3.0-bp155.3.3.2.x86_64",
"openSUSE Leap 15.5:apptainer-leap-1.3.0-bp155.3.3.2.noarch",
"openSUSE Leap 15.5:apptainer-sle15_5-1.3.0-bp155.3.3.2.noarch",
"openSUSE Leap 15.5:apptainer-sle15_6-1.3.0-bp155.3.3.2.noarch",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-30549",
"url": "https://www.suse.com/security/cve/CVE-2023-30549"
},
{
"category": "external",
"summary": "SUSE Bug 1210859 for CVE-2023-30549",
"url": "https://bugzilla.suse.com/1210859"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP5:apptainer-1.3.0-bp155.3.3.2.aarch64",
"SUSE Package Hub 15 SP5:apptainer-1.3.0-bp155.3.3.2.x86_64",
"SUSE Package Hub 15 SP5:apptainer-leap-1.3.0-bp155.3.3.2.noarch",
"SUSE Package Hub 15 SP5:apptainer-sle15_5-1.3.0-bp155.3.3.2.noarch",
"SUSE Package Hub 15 SP5:apptainer-sle15_6-1.3.0-bp155.3.3.2.noarch",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.x86_64",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.x86_64",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.x86_64",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:apptainer-1.3.0-bp155.3.3.2.aarch64",
"openSUSE Leap 15.5:apptainer-1.3.0-bp155.3.3.2.x86_64",
"openSUSE Leap 15.5:apptainer-leap-1.3.0-bp155.3.3.2.noarch",
"openSUSE Leap 15.5:apptainer-sle15_5-1.3.0-bp155.3.3.2.noarch",
"openSUSE Leap 15.5:apptainer-sle15_6-1.3.0-bp155.3.3.2.noarch",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP5:apptainer-1.3.0-bp155.3.3.2.aarch64",
"SUSE Package Hub 15 SP5:apptainer-1.3.0-bp155.3.3.2.x86_64",
"SUSE Package Hub 15 SP5:apptainer-leap-1.3.0-bp155.3.3.2.noarch",
"SUSE Package Hub 15 SP5:apptainer-sle15_5-1.3.0-bp155.3.3.2.noarch",
"SUSE Package Hub 15 SP5:apptainer-sle15_6-1.3.0-bp155.3.3.2.noarch",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.x86_64",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.x86_64",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.x86_64",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:apptainer-1.3.0-bp155.3.3.2.aarch64",
"openSUSE Leap 15.5:apptainer-1.3.0-bp155.3.3.2.x86_64",
"openSUSE Leap 15.5:apptainer-leap-1.3.0-bp155.3.3.2.noarch",
"openSUSE Leap 15.5:apptainer-sle15_5-1.3.0-bp155.3.3.2.noarch",
"openSUSE Leap 15.5:apptainer-sle15_6-1.3.0-bp155.3.3.2.noarch",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-08-16T04:02:52Z",
"details": "important"
}
],
"title": "CVE-2023-30549"
},
{
"cve": "CVE-2023-38496",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-38496"
}
],
"notes": [
{
"category": "general",
"text": "Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP5:apptainer-1.3.0-bp155.3.3.2.aarch64",
"SUSE Package Hub 15 SP5:apptainer-1.3.0-bp155.3.3.2.x86_64",
"SUSE Package Hub 15 SP5:apptainer-leap-1.3.0-bp155.3.3.2.noarch",
"SUSE Package Hub 15 SP5:apptainer-sle15_5-1.3.0-bp155.3.3.2.noarch",
"SUSE Package Hub 15 SP5:apptainer-sle15_6-1.3.0-bp155.3.3.2.noarch",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.x86_64",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.x86_64",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.x86_64",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:apptainer-1.3.0-bp155.3.3.2.aarch64",
"openSUSE Leap 15.5:apptainer-1.3.0-bp155.3.3.2.x86_64",
"openSUSE Leap 15.5:apptainer-leap-1.3.0-bp155.3.3.2.noarch",
"openSUSE Leap 15.5:apptainer-sle15_5-1.3.0-bp155.3.3.2.noarch",
"openSUSE Leap 15.5:apptainer-sle15_6-1.3.0-bp155.3.3.2.noarch",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-38496",
"url": "https://www.suse.com/security/cve/CVE-2023-38496"
},
{
"category": "external",
"summary": "SUSE Bug 1213659 for CVE-2023-38496",
"url": "https://bugzilla.suse.com/1213659"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP5:apptainer-1.3.0-bp155.3.3.2.aarch64",
"SUSE Package Hub 15 SP5:apptainer-1.3.0-bp155.3.3.2.x86_64",
"SUSE Package Hub 15 SP5:apptainer-leap-1.3.0-bp155.3.3.2.noarch",
"SUSE Package Hub 15 SP5:apptainer-sle15_5-1.3.0-bp155.3.3.2.noarch",
"SUSE Package Hub 15 SP5:apptainer-sle15_6-1.3.0-bp155.3.3.2.noarch",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.x86_64",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.x86_64",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.x86_64",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:apptainer-1.3.0-bp155.3.3.2.aarch64",
"openSUSE Leap 15.5:apptainer-1.3.0-bp155.3.3.2.x86_64",
"openSUSE Leap 15.5:apptainer-leap-1.3.0-bp155.3.3.2.noarch",
"openSUSE Leap 15.5:apptainer-sle15_5-1.3.0-bp155.3.3.2.noarch",
"openSUSE Leap 15.5:apptainer-sle15_6-1.3.0-bp155.3.3.2.noarch",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP5:apptainer-1.3.0-bp155.3.3.2.aarch64",
"SUSE Package Hub 15 SP5:apptainer-1.3.0-bp155.3.3.2.x86_64",
"SUSE Package Hub 15 SP5:apptainer-leap-1.3.0-bp155.3.3.2.noarch",
"SUSE Package Hub 15 SP5:apptainer-sle15_5-1.3.0-bp155.3.3.2.noarch",
"SUSE Package Hub 15 SP5:apptainer-sle15_6-1.3.0-bp155.3.3.2.noarch",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.x86_64",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.x86_64",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.x86_64",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:apptainer-1.3.0-bp155.3.3.2.aarch64",
"openSUSE Leap 15.5:apptainer-1.3.0-bp155.3.3.2.x86_64",
"openSUSE Leap 15.5:apptainer-leap-1.3.0-bp155.3.3.2.noarch",
"openSUSE Leap 15.5:apptainer-sle15_5-1.3.0-bp155.3.3.2.noarch",
"openSUSE Leap 15.5:apptainer-sle15_6-1.3.0-bp155.3.3.2.noarch",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-08-16T04:02:52Z",
"details": "moderate"
}
],
"title": "CVE-2023-38496"
},
{
"cve": "CVE-2024-3727",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-3727"
}
],
"notes": [
{
"category": "general",
"text": "A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP5:apptainer-1.3.0-bp155.3.3.2.aarch64",
"SUSE Package Hub 15 SP5:apptainer-1.3.0-bp155.3.3.2.x86_64",
"SUSE Package Hub 15 SP5:apptainer-leap-1.3.0-bp155.3.3.2.noarch",
"SUSE Package Hub 15 SP5:apptainer-sle15_5-1.3.0-bp155.3.3.2.noarch",
"SUSE Package Hub 15 SP5:apptainer-sle15_6-1.3.0-bp155.3.3.2.noarch",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.x86_64",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.x86_64",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.x86_64",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:apptainer-1.3.0-bp155.3.3.2.aarch64",
"openSUSE Leap 15.5:apptainer-1.3.0-bp155.3.3.2.x86_64",
"openSUSE Leap 15.5:apptainer-leap-1.3.0-bp155.3.3.2.noarch",
"openSUSE Leap 15.5:apptainer-sle15_5-1.3.0-bp155.3.3.2.noarch",
"openSUSE Leap 15.5:apptainer-sle15_6-1.3.0-bp155.3.3.2.noarch",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-3727",
"url": "https://www.suse.com/security/cve/CVE-2024-3727"
},
{
"category": "external",
"summary": "SUSE Bug 1224112 for CVE-2024-3727",
"url": "https://bugzilla.suse.com/1224112"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP5:apptainer-1.3.0-bp155.3.3.2.aarch64",
"SUSE Package Hub 15 SP5:apptainer-1.3.0-bp155.3.3.2.x86_64",
"SUSE Package Hub 15 SP5:apptainer-leap-1.3.0-bp155.3.3.2.noarch",
"SUSE Package Hub 15 SP5:apptainer-sle15_5-1.3.0-bp155.3.3.2.noarch",
"SUSE Package Hub 15 SP5:apptainer-sle15_6-1.3.0-bp155.3.3.2.noarch",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.x86_64",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.x86_64",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.x86_64",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:apptainer-1.3.0-bp155.3.3.2.aarch64",
"openSUSE Leap 15.5:apptainer-1.3.0-bp155.3.3.2.x86_64",
"openSUSE Leap 15.5:apptainer-leap-1.3.0-bp155.3.3.2.noarch",
"openSUSE Leap 15.5:apptainer-sle15_5-1.3.0-bp155.3.3.2.noarch",
"openSUSE Leap 15.5:apptainer-sle15_6-1.3.0-bp155.3.3.2.noarch",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP5:apptainer-1.3.0-bp155.3.3.2.aarch64",
"SUSE Package Hub 15 SP5:apptainer-1.3.0-bp155.3.3.2.x86_64",
"SUSE Package Hub 15 SP5:apptainer-leap-1.3.0-bp155.3.3.2.noarch",
"SUSE Package Hub 15 SP5:apptainer-sle15_5-1.3.0-bp155.3.3.2.noarch",
"SUSE Package Hub 15 SP5:apptainer-sle15_6-1.3.0-bp155.3.3.2.noarch",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:libsquashfuse0-0.5.0-bp155.2.1.x86_64",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:squashfuse-0.5.0-bp155.2.1.x86_64",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:squashfuse-devel-0.5.0-bp155.2.1.x86_64",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.aarch64",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.i586",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.ppc64le",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.s390x",
"SUSE Package Hub 15 SP5:squashfuse-tools-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:apptainer-1.3.0-bp155.3.3.2.aarch64",
"openSUSE Leap 15.5:apptainer-1.3.0-bp155.3.3.2.x86_64",
"openSUSE Leap 15.5:apptainer-leap-1.3.0-bp155.3.3.2.noarch",
"openSUSE Leap 15.5:apptainer-sle15_5-1.3.0-bp155.3.3.2.noarch",
"openSUSE Leap 15.5:apptainer-sle15_6-1.3.0-bp155.3.3.2.noarch",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:libsquashfuse0-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:squashfuse-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:squashfuse-devel-0.5.0-bp155.2.1.x86_64",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.aarch64",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.i586",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.ppc64le",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.s390x",
"openSUSE Leap 15.5:squashfuse-tools-0.5.0-bp155.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-08-16T04:02:52Z",
"details": "important"
}
],
"title": "CVE-2024-3727"
}
]
}
ghsa-mmx5-32m4-wxvx
Vulnerability from github
Published
2023-07-25 13:52
Modified
2023-07-25 13:52
Severity ?
VLAI Severity ?
Summary
Ineffective privileges drop when requesting container network
Details
Impact
Fix https://github.com/apptainer/apptainer/pull/1523 included in Apptainer 1.2.0-rc.2 has introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges. The attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. Only affects setuid installations of Apptainer.
Patches
The security fix https://github.com/apptainer/apptainer/pull/1578 has been included in Apptainer 1.2.1
Workarounds
There is no known workaround outside of upgrading to Apptainer 1.2.1
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/apptainer/apptainer"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.0"
},
{
"fixed": "1.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-38496"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-25T13:52:20Z",
"nvd_published_at": "2023-07-25T22:15:10Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nFix https://github.com/apptainer/apptainer/pull/1523 included in Apptainer 1.2.0-rc.2 has introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges. The attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. Only affects setuid installations of Apptainer. \n\n### Patches\n\nThe security fix https://github.com/apptainer/apptainer/pull/1578 has been included in Apptainer 1.2.1\n\n### Workarounds\n\nThere is no known workaround outside of upgrading to Apptainer 1.2.1",
"id": "GHSA-mmx5-32m4-wxvx",
"modified": "2023-07-25T13:52:20Z",
"published": "2023-07-25T13:52:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38496"
},
{
"type": "WEB",
"url": "https://github.com/apptainer/apptainer/pull/1523"
},
{
"type": "WEB",
"url": "https://github.com/apptainer/apptainer/pull/1578"
},
{
"type": "PACKAGE",
"url": "https://github.com/apptainer/apptainer"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "Ineffective privileges drop when requesting container network"
}
fkie_cve-2023-38496
Vulnerability from fkie_nvd
Published
2023-07-25 22:15
Modified
2024-11-21 08:13
Severity ?
6.1 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Summary
Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/apptainer/apptainer/pull/1523 | Patch | |
| security-advisories@github.com | https://github.com/apptainer/apptainer/pull/1578 | Patch | |
| security-advisories@github.com | https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/apptainer/apptainer/pull/1523 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/apptainer/apptainer/pull/1578 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lfprojects | apptainer | 1.2.0 | |
| lfprojects | apptainer | 1.2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lfprojects:apptainer:1.2.0:-:*:*:*:go:*:*",
"matchCriteriaId": "7B4FFEA3-9FB9-4B9F-968E-E5C3282B6786",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lfprojects:apptainer:1.2.0:rc2:*:*:*:go:*:*",
"matchCriteriaId": "35B641D0-6C93-45F0-A297-1BBE3BF65DB6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1."
}
],
"id": "CVE-2023-38496",
"lastModified": "2024-11-21T08:13:41.667",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 4.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-25T22:15:10.503",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/apptainer/apptainer/pull/1523"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/apptainer/apptainer/pull/1578"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/apptainer/apptainer/pull/1523"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/apptainer/apptainer/pull/1578"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
},
{
"lang": "en",
"value": "CWE-271"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
gsd-2023-38496
Vulnerability from gsd
Modified
2023-12-13 01:20
Details
Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-38496",
"id": "GSD-2023-38496"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-38496"
],
"details": "Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1.",
"id": "GSD-2023-38496",
"modified": "2023-12-13T01:20:35.469390Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2023-38496",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "apptainer",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "\u003e= 1.2.0-rc.2, \u003c 1.2.1"
}
]
}
}
]
},
"vendor_name": "apptainer"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1."
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-271",
"lang": "eng",
"value": "CWE-271: Privilege Dropping / Lowering Errors"
}
]
},
{
"description": [
{
"cweId": "CWE-269",
"lang": "eng",
"value": "CWE-269: Improper Privilege Management"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx",
"refsource": "MISC",
"url": "https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx"
},
{
"name": "https://github.com/apptainer/apptainer/pull/1523",
"refsource": "MISC",
"url": "https://github.com/apptainer/apptainer/pull/1523"
},
{
"name": "https://github.com/apptainer/apptainer/pull/1578",
"refsource": "MISC",
"url": "https://github.com/apptainer/apptainer/pull/1578"
}
]
},
"source": {
"advisory": "GHSA-mmx5-32m4-wxvx",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=v1.2.0 \u003cv1.2.1",
"affected_versions": "All versions starting from 1.2.0 before 1.2.1",
"cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2023-07-26",
"description": "Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1.",
"fixed_versions": [
"v1.2.1"
],
"identifier": "CVE-2023-38496",
"identifiers": [
"GHSA-mmx5-32m4-wxvx",
"CVE-2023-38496"
],
"not_impacted": "All versions before 1.2.0, all versions starting from 1.2.1",
"package_slug": "go/github.com/apptainer/apptainer",
"pubdate": "2023-07-25",
"solution": "Upgrade to version 1.2.1 or above.",
"title": "Ineffective privileges drop when requesting container network",
"urls": [
"https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx",
"https://github.com/apptainer/apptainer/pull/1578",
"https://nvd.nist.gov/vuln/detail/CVE-2023-38496",
"https://github.com/apptainer/apptainer/pull/1523",
"https://github.com/advisories/GHSA-mmx5-32m4-wxvx"
],
"uuid": "f4c3315e-de6c-4cc4-9b5a-8bed96471b42",
"versions": [
{
"commit": {
"sha": "89d30fc996980e6d253c25715c621cda948b28b7",
"tags": [
"v1.2.0"
],
"timestamp": "20230718151951"
},
"number": "v1.2.0"
},
{
"commit": {
"sha": "01bed320096e93baa574586475d772d78470897d",
"tags": [
"v1.2.1"
],
"timestamp": "20230724203341"
},
"number": "v1.2.1"
}
]
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:lfprojects:apptainer:1.2.0:rc2:*:*:*:go:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:lfprojects:apptainer:1.2.0:-:*:*:*:go:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2023-38496"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx",
"refsource": "MISC",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx"
},
{
"name": "https://github.com/apptainer/apptainer/pull/1523",
"refsource": "MISC",
"tags": [
"Patch"
],
"url": "https://github.com/apptainer/apptainer/pull/1523"
},
{
"name": "https://github.com/apptainer/apptainer/pull/1578",
"refsource": "MISC",
"tags": [
"Patch"
],
"url": "https://github.com/apptainer/apptainer/pull/1578"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 1.4
}
},
"lastModifiedDate": "2023-08-02T19:32Z",
"publishedDate": "2023-07-25T22:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…